Facebook, Ubisoft, and Morningstar are all recent examples of data breaches that involved the unauthorized release of email addresses. In one of several conversations I have had about these events some people could not understand why others were upset about the release; after all, they are only email addresses. Here is how I explained it.
Is an email address PII?
Determining if an email address is personally identifiable information, PII, is a good place to start to understand why people get upset. Unfortunately, this is not a simple question.
The US states’ data breach laws as summarized in Nymity’s Breach Response Support Center shows that an email address is considered PII only when it provides access to a financial account or resources (North Carolina).
However, staying within the US, M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 specifically identifies an email address as PII (Attachment A II.A.b).
The European Union Directive on Data Privacy(95/46/EC) defines personal information as
…any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
In many cases an email address can be related to a single individual. For this reason many organizations consider an email address as PII.
So, what are the consequences of a lost email address?
The most obvious consequence of an evil doer obtaining a set of email addresses is spam. We all get spam every day and it is an annoyance. However when combining the email address with the branding of the source from which it was obtained it becomes more dangerous.
When receiving an email from a vendor they are familiar with or do business with, most people are likely to trust the email contents. If links are present or an attachment enclosed, the email could be providing a vehicle for the distribution of malware.
If the email itself or an enclosed link requests information from the recipient then the stolen email address is being used as a vehicle for a phishing scheme.
Finally, many sites are using email addresses as user-ids for log-in authentication. Depending on the strength requirements for a a site’s password and the strength of the security measures being taken (i.e. multi-factor authentication) the evil doer may now have half of the information needed to access someone’s account.
If the loss of email addresses by an organization could be the root cause of a customer’s computer being infected, a customer being phished, or further accounts being breached, doesn’t an organization have a social responsibility to treat and protect an email address as PII?
What can an organization do?
If you collect an email address from your customers, consider how you are storing the address. Are the protections in place sufficient to protect the information? Has encrypting the information been considered?
If you are an organization that uses email addresses as a user-id for log-in to accounts, consider using a multi-factor authentication approach. Many financial institutions already do this by incorporating challenge questions into their log-in process in addition to requiring user-id and password.